Re: GSSAPI SSH WIN 2003

• Previous message: fjchia: "Re: SSH on Z/OS 1.4"
• In reply to: satya vadali: "GSSAPI SSH WIN 2003"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 29 Jul 2005 19:31:16 -0400

> What I am looking for is:
>
> AllowGroups/AllowUsers/DenyUsers based on their type of authentication.
>
> Ex:
> DenyUsers GSSAPI *
> AllowGroups GSSAPI my_friends

OpenSSH does not have this flexibility. In fact, I don't know of any SSH
server that does; it is one of the most long-standing inadequacies of most
SSH software, IMO. Authorization is usually completely ad-hoc and full of
random pointless restrictions -- e.g. most of the fine-grained
authorization controls in OpenSSH are only available if the client has
used publickey authentication, for the simple reasons that it's
implemented with options in the authorized_keys file.

Tectia took a step in the right direction with its
ExternalAuthorizationProgram option -- but even that is inadequate as it
stands, as the server passes very little information to the program! It
doesn't even distinguish between authid and authzid, let alone specify the
authentication method used.

I recall some talk early on about using KeyNote in OpenSSH, but don't know
what the status of that is.

> Other option for me, restrict at service ticket level from Windows AD
> 2003 level. I am not sure how and is it possible?
>
> Say i have global group in AD called "my friends":
> Add my friends to "my friends" group and only users in "my friends"
> group will get Service ticket for my HP-UX box.

I don't know if the Windows KDC can do this, but KDCs generally don't,
because this isn't the right way to address this need. The term "service
ticket" is misleading: it sounds as if the ticket provides permission to
use the service, i.e. authorization. It doesn't. The purpose of Kerberos
is authentication: the service ticket merely identifies one principal to
another, in this case authenticating a user to a server. The server's
decision of whether to allow the user access, once identified, is
authorization -- a completely separate process. Sure, you can deny
someone access to a service by refusing them authentication, but it's a
bit heavy-handed and causes other problem. As a scheme it happens to work
better with Kerberos than other systems due to the per-service
credentials, but still, it's not usually done.

-- 
  Richard Silverman
  res@qoxp.net

• Previous message: fjchia: "Re: SSH on Z/OS 1.4"
• In reply to: satya vadali: "GSSAPI SSH WIN 2003"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Using RSA key _and_ password ... Something you have (Private Key) ... Asked for via the password authentication feature. ... The issue is having the server require both authentication methods. ... OpenSSH should be able to do this. ... (SSH) RE: Using RSA key _and_ password ... I'm just not sure how to get it into OpenSSH. ... development team to try to convince them to get this feature in? ... He is trying to get OpenSSH to enforce two factor authentication ... The issue is having the server require both authentication methods. ... (SSH) Re: VDS FAQ - request for feedback ... If ChallengeResponseAuthentication is enabled on an OpenSSH server, ... OpenSSH servers with versions 2.9.9 through 3.3. ... authentication code to be executed as an unprivileged user. ... this vulnerability is largely based on which user executes authentication. ... (Focus-IDS) Re: SSH "failed none" syslog entries causing Linux failed login counter to advance. ... The OpenSSH server always attempts authentication with a null password, ... there's no need for this failure to be flagged to ... (comp.security.ssh) Re: Obtaining TGT transparently ---> Is it possible ? ... Are there any scenarios where I require a TGT on applicatinn server ... Is it possible to get the TGT transperently? ... service ticket is when the AppServer needs to initiate an authentication ... (comp.protocols.kerberos)